HIPAA Consent Management

The Health Insurance Portability and Accountability Act (HIPAA) establishes strict requirements for how protected health information (PHI) is used and disclosed. When healthcare organizations, insurers, or their business associates collect consent or authorization from patients and consumers, the records must meet specific content and retention standards.

eConsent helps covered entities and business associates capture consent and authorization events with litigation-grade evidence, including full session replays, DOM snapshots, and cryptographic attestation.

Authorization vs. consent under HIPAA

HIPAA distinguishes between two types of consumer agreement:

Type	Purpose	When required
Consent	Allows use and disclosure of PHI for treatment, payment, and healthcare operations (TPO)	Optional under HIPAA but commonly required by organizational policy
Authorization	Allows use and disclosure of PHI for purposes beyond TPO, such as marketing or research	Required by HIPAA for non-TPO disclosures

Note

eConsent captures both consent and authorization events. The platform does not distinguish between them at the recording level --- both are tracked with the same session replay, attestation, and certificate infrastructure. The distinction is in your disclosure language and form design.

Required elements for valid HIPAA authorization

A valid HIPAA authorization under 45 CFR 164.508 must contain:

1. Description of PHI to be used or disclosed
2. Name of the person or entity authorized to make the disclosure
3. Name of the person or entity to whom the disclosure will be made
4. Purpose of the use or disclosure
5. Expiration date or event
6. Signature and date of the individual (or their representative)
7. Right to revoke and how to exercise it
8. Statement that information may be subject to re-disclosure and no longer protected

How eConsent captures these elements

eConsent does not generate the authorization form content --- that remains your responsibility. What eConsent provides is irrefutable proof that the consumer saw the authorization language and agreed to it:

• SHA-256 hash of the exact page content at the time of consent
• DOM snapshot proving which elements were visible, their position, and their text content
• Session replay showing the consumer reading the page, scrolling, and interacting with the form
• Timestamp with millisecond precision
• Consumer identity extracted from form fields (name, email, phone)
• Cryptographic attestation tying all evidence together in a tamper-proof certificate

Capturing HIPAA consent

Form setup

Your HIPAA authorization or consent form should include all required elements listed above. eConsent tracks the consumer’s interaction with the form regardless of its specific content.

Install the tracking script on your consent form page:

<script
  src="https://api.econsent.org/api/web"
  data-property-id="YOUR_PROPERTY_ID"
  async
></script>

Configure the consent selector to target the authorization checkbox or signature element. See Consent Selector for setup instructions.

Verifying HIPAA consent records

After a patient or consumer submits an authorization, verify the consent record exists:

Node.js

async function verifyHIPAAConsent(email, phone) {
  const response = await fetch('https://api.econsent.org/api/verify/match', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'Authorization': `Bearer ${process.env.ECONSENT_API_TOKEN}`,
    },
    body: JSON.stringify({
      email: email,
      phone: phone,
      company_id: process.env.ECONSENT_COMPANY_ID,
    }),
  });

  const result = await response.json();

  if (result.status === 200 && result.certificate_id) {
    return {
      authorized: true,
      certificateId: result.certificate_id,
      certificateUrl: result.certificate_url,
    };
  }

  return { authorized: false };
}

Python

import os
import requests

def verify_hipaa_consent(email, phone):
    response = requests.post(
        'https://api.econsent.org/api/verify/match',
        headers={
            'Content-Type': 'application/json',
            'Authorization': f'Bearer {os.getenv("ECONSENT_API_TOKEN")}',
        },
        json={
            'email': email,
            'phone': phone,
            'company_id': os.getenv('ECONSENT_COMPANY_ID'),
        },
    )
    result = response.json()

    if result.get('status') == 200 and result.get('certificate_id'):
        return {
            'authorized': True,
            'certificate_id': result['certificate_id'],
            'certificate_url': result.get('certificate_url'),
        }

    return {'authorized': False}

Retention requirements

HIPAA requires covered entities to retain authorization records for a minimum of 6 years from the date of creation or the date when the authorization was last in effect, whichever is later.

Caution

eConsent currently supports retention periods up to 5 years per property. For HIPAA’s 6-year requirement, contact your account manager to configure extended retention on your properties. Enterprise and High Volume plans support custom retention periods beyond 5 years.

Recommended configuration

1. Set property-level expiration to the maximum available (5 years or custom).
2. Enable auto-retention in certificates mode to ensure all authorization events are retained.
3. Enable overage notifications so your compliance team is alerted if quota is exceeded.

curl -X PUT https://api.econsent.org/api/retention/settings \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -d '{
    "autoRetentionEnabled": true,
    "autoRetentionMode": "certificates",
    "notifyOnOverage": true,
    "overageNotificationEmails": ["hipaa-compliance@yourcompany.com"]
  }'

Handling revocation

HIPAA gives individuals the right to revoke their authorization at any time, except to the extent that the covered entity has already acted in reliance on the authorization. eConsent supports immediate revocation through:

• Opt-Out API --- process revocations programmatically from your patient portal or CRM
• Dashboard --- manual revocation with audit trail
• CSV upload --- bulk revocation for large-scale opt-out processing

See Revocation & Opt-Out for implementation details.

Note

When a HIPAA authorization is revoked through eConsent, the certificate is flagged as opted out and all verification calls return 403. The original session recording and certificate remain stored for the configured retention period to maintain the audit trail.

Audit trail

Every action taken on a HIPAA consent record is logged in the eConsent audit log:

Event	Logged details
Consent captured	Timestamp, session ID, certificate ID, consumer identity, page hash
Certificate generated	Attestation data, SHA-256 hashes, storage locations
Verification query	Who queried, when, what was returned
Revocation	Who revoked, when, method (API/dashboard/CSV), reason
Retention	When the session was retained, storage tier

Access the audit log from Settings > Audit Log in your dashboard. See Audit Log for details.

HIPAA compliance checklist

Authorization form

Ensure your form includes all 8 required HIPAA authorization elements. eConsent captures proof of what was shown, not the form content itself.

Six-year retention

Contact your account manager to configure 6-year retention. Enable auto-retention in certificates mode.

Revocation process

Implement a clear revocation process and integrate with the eConsent Opt-Out API for real-time processing.

Business associate agreement

If eConsent processes PHI on your behalf, ensure a Business Associate Agreement (BAA) is in place. Contact sales for BAA execution.

Next steps

• TCPA Compliance Guide. Related consent compliance for telemarketing
• Consent Attestation. How cryptographic attestation creates tamper-proof records
• Retention Management. Configure retention periods and quotas
• Revocation & Opt-Out. Handle consumer revocation requests